Solved

HS323 through an ASA

Posted on 2011-03-07
12
1,678 Views
Last Modified: 2012-08-14
I have a setup as follows

H323 v codec ----- Cisco 877 -----VPN-----(outside) Cisco ASA 5510 (inside) ------- H323 Gateway.

The problem is that the H323 video coded is not registering with the H323 gateway. Other codes which do not go through the firewall register with the Gateway ok.  The Routing, VPN and Connectivity between the two gateways is fine, they can talk to each other on any port on any protocol.

A packet capture on the 877 shows that the codec is sending out H323 register packets. With a show ipsec sa detail you can see the packets are being encrypted as this is currently the only traffic on the link. On the cisco ASA you can see the packets are being decrypted but then they vanish. A packet capture on the inside interface of the firewall shows no traffic from the video codec.

Full debugging on both the ASA and 877 does not show any errors. I have tried having both inspect option hs323 turned on and off for the ASA on the .

Anyone got any ideas on why this traffic would be blocked?



 
0
Comment
Question by:question01
  • 7
  • 3
  • 2
12 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062022
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35062078
policy-map global_policy
 class inspection_default
  inspect h323
  inspect sip

Would be all that's required, I think.
0
 
LVL 1

Author Comment

by:question01
ID: 35062124
Yes I have tried it with the following config and without.  

policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
 
Makes no difference.

Does the global_policy definatly apply to traffic coming out of a VPN?
0
 
LVL 1

Author Comment

by:question01
ID: 35062131
Why would I need SIP?
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35062180
did you applied the policy the outside interface?
what shows the logs?
0
 
LVL 1

Author Comment

by:question01
ID: 35062297
the global_policy applies to all traffic by default doesn't it?

The only log from the ASA which mentions the codec is

Tear-down local-host outside:10.x.x.x duration: 00:00:00

The 10.x.x.x is the codec. This logs gets created every 10 seconds or so with the duration at 00:00:00
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Author Comment

by:question01
ID: 35062604
Canberra-ASA# show service-policy inspect h323 h225

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
        h245-tunnel-block drops 0 connection
Canberra-ASA# show service-policy inspect h323 ras

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection

Interface outside:
  Service-policy: pmap
    Class-map: cmap
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
        h245-tunnel-block drops 0 connection
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 35066334
it shows that the inspection not recognized the h323 packets...
0
 
LVL 1

Author Comment

by:question01
ID: 35075006
yes it looks that way. So why would it not be inspecting the h323 packets?

does the global policy apply to traffic coming out of a vpn?

0
 
LVL 1

Accepted Solution

by:
question01 earned 0 total points
ID: 35089993
After a reboot of the firewall problem is resolved. Not sure what was causing the problem but the VPN was playing up with some strange errors.

0
 
LVL 1

Author Closing Comment

by:question01
ID: 35126460
reboot fixed it.
0
 
LVL 20

Expert Comment

by:netcmh
ID: 35129291
glad you got that resolved.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
There are no good configuration guides for HP-H3C router to LYNC on the web. :( Big statement, but we havent been able to find one yet. We did find the following document useful, but the information was not enough to use H3C router for use as a L…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now